Pieter Wuille [ARCHIVE] on Nostr: 📅 Original date posted:2016-06-29 📝 Original message:On Jun 29, 2016 07:05, ...

📅 Original date posted:2016-06-29
📝 Original message:On Jun 29, 2016 07:05, "Ethan Heilman via bitcoin-dev" <
bitcoin-dev at lists.linuxfoundation.org> wrote:
>
> >It's also not clear to me why the HMAC, vs just
SHA256(key|cipher-type|mesg). But that's probably just my crypto
ignorance...
>
> SHA256(key|cipher-type|mesg) is an extremely insecure MAC because of
> the length extension property of SHA256.

This property does technically not apply here, as the output of the hash is
kept secret, and the possible messages are constants (which are presumably
chosen in such a way that one is never an extension of another).

However, this is a good example of why you can't generically use a hash
function in places where you want a MAC (aka "a hash with a shared
secret"). Furthermore, if you already have a hash function anyway, HMAC is
very easy construct on top of it.

--
Pieter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20160629/72f9c103/attachment.html>;